HCBA Lawyer Magazine Vol. 28, No. 2 - Page 52

FindingS And BEST PRACTiCES FROM SEC On CREATing An EFFECTivE CYBERSECuRiTY PROgRAM Securities Section Chairs: Rob Jamieson – Wiand Guerra King & Matthew Schwartz – Cole Scott Kissane OCiE has identified several specific elements that firms should adopt when designing an effective cybersecurity program. © Can Stock Photo / leowolfert Because cybersecurity s currently a hot topic with regulators, substantial guidance is being generated to outline best practices that firms should follow when designing robust cybersecurity programs. The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently provided such guidance in a Risk Alert reporting its recent sweep examination results. See SEC, Observations from Cybersecurity Examinations, Vol. VI, Issue 5 (Aug. 7, 2017). While the industry awaits definitive rules surrounding cybersecurity, the SEC makes a number of resources available to provide firms guidance when implementing and managing cybersecurity programs. This guidance was created in part from OCIE’s 2014 Cybersecurity Initiative and examination findings of over 50 firms’ cybersecurity practices. See SEC OCIE, Cybersecurity Initiative, Vol. IV, Issue 2 (Apr. 15, 2014); SEC OCIE, Cybersecurity Examination Sweep Summary, Vol. IV, Issue 4 (Feb. 3, 2015). Cybersecurity Procedures Are Improving In 2015, OCIE’s examinations focused on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. The results of those examinations, which were recently released, revealed that firms have generally increased their overall cybersecurity preparedness. In fact, the results show that nearly every firm examined maintained some form of cybersecurity policies and procedures. The majority of firms also conducted periodic risk assessments and penetration tests, and used systems to prevent or detect data breaches. The cybersecurity programs that firms adopted have several similarities. OCIE found firms regularly addressed business continuity planning and privacy concerns, and nearly all firms developed response plans to cover data breaches. Firms have also begun to clearly identify cyber - security roles and responsibilities for associated persons. Improving Cybersecurity Procedures In addition to providing the results of its examinations, OCIE has identified several specific elements that firms should adopt when designing an effective cybersecurity program: • maintain an inventory of data, information, and vendors; • create detailed cybersecurityrelated instructions in policies; • maintain schedules and processes for testing data integrity and vulnerability; • enforce data access controls; • conduct employee training; and • obtain senior management support and approval. Continued on page 51 MARK YOUR CALENDAR: HCBA’s Annual Diversity Networking Social is on Feb. 10, 2018, at the Chester Ferguson Law Center. 5 0 N O V - D E C 2 0 1 7 | H C B A L A W Y E R FindingS And BEST PRACTiCES FROM SEC On CREATing An EFFECTivE CYBERSECuRiTY PROgRAM Securities Section Chairs: Rob Jamieson – Wiand Guerra King & Matthew Schwartz – Cole Scott Kissane OCiE has identified several specific elements that firms should adopt when designing an effective B cybersecurity program. © Can Stock Photo / leowolfert ecause cybersecurity s currently a hot topic with regulators, substantial guidance is being generated to outline best practices that firms should follow when designing robust cybersecurity programs. The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently provided such guidance in a Risk Alert reporting its recent sweep examination results. See SEC, Observations from Cybersecurity Examinations, Vol. VI, Issue 5 (Aug. 7, 2017). While the industry awaits definitive rules surrounding cybersecurity, the SEC makes a number of resources available to provide firms guidance when implementing and managing cybersecurity programs. This guidance was created in part from OCIE’s 2014 Cybersecurity Initiative and examination findings of over 50 firms’ cybersecurity practices. See SEC OCIE, Cybersecurity Initiative, Vol. IV, Issue 2 (Apr. 15, 2014); SEC OCIE, Cybersecurity Examination Sweep Summary, Vol. IV, Issue 4 (Feb. 3, 2015). Cybersecurity Procedures Are Improving In 2015, OCIE’s examinations focused on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. The results of those examinations, which were recently released, revealed that firms have generally increased their overall cybersecurity preparedness. In fact, the results show that nearly every firm examined maintained some form of cybersecurity policies and procedures. The majority of firms also conducted periodic risk assessments and penetration tests, and used systems to prevent or detect data breaches. The cybersecurity programs that firms adopted have several similarities. OCIE found firms regularly addressed business continuity planning and privacy concerns, and nearly all firms developed response plans to cover data breaches. Firms have also begun to clearly identify cyber - security roles and responsibilities for associated persons. Improving Cybersecurity Procedures In addition Ѽɽ٥ѡ)ɕձ́́ᅵѥ̰= %)́ѥ͕ٕɅ)́ѡЁɵ́͡ձ)ݡͥѥٔ)剕͕ɥɽɅ+хٕѽ䁽ф)ɵѥٕ+ɕєх剕͕ɥ)ɕѕՍѥ́+х͍ձ́)ɽ͕́ȁѕѥф)ѕɥ䁅ձɅ+ɍф́ɽ+ՍЁ啔Ʌ쁅+х͕ȁ)Ёɽم) ѥՕ)5I,e=UH 19H)! éՅٕͥ9ݽɭḾ)ఁЁѡ ѕȁɝͽ1܁ ѕȸ()9=X ())! 1]eH